Nmap命令的常用实例

nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
正如大多数被用于网络安全的工具,nmap 也是不少黑客及骇客爱用的工具 。系统管理员可以利用nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用nmap来搜集目标电脑的网络设定,从而计划攻击的方法。
Nmap 以隐秘的手法,避开闯入检测系统的监视,并尽可能不影响目标系统的日常操作
Nmap语法:

nmap [Scan Type(s)] [Options] {target specification}

一、Nmap常用操作

1、批量ping扫描

[root@localhost ~]# nmap -sP 192.168.1.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:19 CST
Nmap scan report for192.168.1.1
Host is up (0.0043s latency).
Nmap scan report for 192.168.1.2
Host is up (0.0040s latency).
Nmap scan report for 192.168.1.3
Host is up (0.0036s latency).
Nmap scan report for 192.168.1.4
Host is up (0.0042s latency).
Nmap scan report for 192.168.1.5

2、仅列出指定网络上的每台主机,不发送任何报文到目标主机(隐蔽探测)

[root@localhost ~]# nmap -sL 192.168.1.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:22 CST
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3

3、探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80)

[root@localhost ~]# nmap -PS 220.181.111.188

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:25 CST
Nmap scan report for 220.181.111.188
Host is up (0.0043s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.06 seconds

4、使用SYN半开放扫描

[root@localhost ~]# nmap -sS 220.181.111.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:29 CST
Nmap scan report for 220.181.111.188
Host is up (0.0048s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.56 seconds

5、使用TCP扫描

[root@localhost ~]# nmap -sT 220.181.111.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:32 CST
Nmap scan report for 220.181.111.188
Host is up (0.0044s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.24 seconds

6、使用UDP扫描

[root@localhost ~]# nmap -sU 220.181.111.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:34 CST
Nmap scan report for 220.181.111.188
Host is up (0.0039s latency).
Not shown: 999 open|filtered ports
PORT    STATE    SERVICE
161/udp filtered snmp

Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds

7、探测目标主机支持哪些IP协议

[root@localhost ~]# nmap -sO 220.181.111.188

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:35 CST
Nmap scan report for 220.181.111.188
Host is up (0.0054s latency).
Not shown: 255 open|filtered protocols
PROTOCOL STATE SERVICE
1        open  icmp

Nmap done: 1 IP address (1 host up) scanned in 2.73 seconds

8、探测目标主机操作系统

[root@localhost ~]# nmap -A 220.181.111.188


Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:36 CST
Nmap scan report for 220.181.111.188
Host is up (0.0050s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds

9、扫描多台主机

[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds

10、扫描整个子网

[root@server1 ~]# nmap 192.168.0.*                      //使用*通配符来扫描整个子网或某个范围的IP地址
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST
Interesting ports on server1.tecmint.com (192.168.0.100):
Not shown: 1677 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
851/tcp open  unknown
 
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds

11、找出网络中的在线主机

使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。

[root@server1 ~]# nmap -sP 192.168.0.*
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST
Host server1.tecmint.com (192.168.0.100) appears to be up.
Host server2.tecmint.com (192.168.0.101) appears to be up.
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds
posted @ 2019-01-27 22:32  reaperhero  阅读(506)  评论(0编辑  收藏  举报